Overview

overview

9

Static

static

9dc4f90e79...bb.msi

windows7_x64

9

9dc4f90e79...bb.msi

windows10-2004_x64

6

Analysis

  • max time kernel
    142s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 03:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9dc4f90e793c50ff837c8cda2ae9823637bf0188bdd5d39ebae33605b48e7abb.msi

  • Size

    500KB

  • MD5

    847a9e7d782d0232581752856a146e5b

  • SHA1

    6abe12d2ec534673f16b1a4f5f7f4082a2a2acc3

  • SHA256

    9dc4f90e793c50ff837c8cda2ae9823637bf0188bdd5d39ebae33605b48e7abb

  • SHA512

    7380dcaf0a6fec8faebd4e90b182dda04aae4a349c3b5338e52d6222e5a70ff18cb3bc56635762a6693b79b5ec4e9ca4b9462f58fc7865bb0aafed7828a85d45

Score
9/10
rezer0

Malware Config

Signatures

  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9dc4f90e793c50ff837c8cda2ae9823637bf0188bdd5d39ebae33605b48e7abb.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1108
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Windows\Installer\MSIE247.tmp
      "C:\Windows\Installer\MSIE247.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\byqPAkLJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2F7.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:916
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:852
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D0" "00000000000003E4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF2F7.tmp
    Filesize

    1KB

    MD5

    575e77e9e0210babd29bd42e7753b299

    SHA1

    07f5d56af276a4289c29318282ccf392d089ca39

    SHA256

    8b6e0b403fc8a4b8d1cd232bbd8d684b08b3e0fcdbb8caf9ad773e75aabeb73b

    SHA512

    c0a19424b88321dbb3c6da997c5c606dc264da41505a79022b7b095ca66b43ad38909f0e91565fdff635215ad2d7c23c5a19085aa63b08324d837c37bd7bd26b

    Download Submit
  • C:\Windows\Installer\MSIE247.tmp
    Filesize

    473KB

    MD5

    448ef95d442eddb34afa932c7127494b

    SHA1

    4910c082cd4b5f19b16f0b60480ae76e96beb4ee

    SHA256

    6c3bc543be55d71ab8ad5865f8debf5cca5ce4596caa84d2da92144b35a04486

    SHA512

    530438b9ad0655db70f0fcf991e32b844114a2a0ca6f7267d659180836be7a6aded0f823af0768491dd540912747ac7491e0317589a9c68a35ae609c326216ca

    Download Submit
  • C:\Windows\Installer\MSIE247.tmp
    Filesize

    473KB

    MD5

    448ef95d442eddb34afa932c7127494b

    SHA1

    4910c082cd4b5f19b16f0b60480ae76e96beb4ee

    SHA256

    6c3bc543be55d71ab8ad5865f8debf5cca5ce4596caa84d2da92144b35a04486

    SHA512

    530438b9ad0655db70f0fcf991e32b844114a2a0ca6f7267d659180836be7a6aded0f823af0768491dd540912747ac7491e0317589a9c68a35ae609c326216ca

    Download Submit
  • memory/916-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1108-54-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1912-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1912-59-0x00000000011D0000-0x000000000124C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/1912-60-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1912-61-0x00000000004F0000-0x00000000004F8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1912-62-0x0000000000980000-0x00000000009D8000-memory.dmp
    Filesize

    352KB

    Download